Lost Laptops Compromise Secrets
The next day, caught in a maelstrom of criticism, Ashcroft called for the Justice Department's inspector general to perform an exhaustive audit of the entire department's weaponry and IT systems.
The FBI's admission is a chilling case of déjá vu. Over the past two years, the Energy and State departments have made similar disclosures. With three flare-ups in two years, some officials think laptop theft deserves more attention. "We have not addressed this as a policy issue governmentwide," says John Gilligan, deputy chief information officer of the Air Force and co-chair of the Chief Information Officers Council Subcommittee on Security, Privacy and Critical Infrastructure. "There needs to be an oversight process." Recent statistics indicate a national epidemic of laptop thefts. Columbus, Ohio, insurance company Safeware Inc. recorded 387,000 notebook thefts in 2000, 68,000 more than in 1999.
State Secrets
In January 2000, the State Department disclosed that a classified laptop with information about arms control was missing from a conference room. The ensuing furor resulted in an FBI investigation and the firing of two high-level diplomats. Four others received career-stalling reprimands. A subsequent audit of the department's laptops accounted for its remaining 60 classified laptops, but 15 of its 1,913 unclassified laptops were missing.
On May 31, 2000, Energy Department scientists at the Los Alamos National Laboratory reported the disappearance of two computer hard drives filled with classified information on weapons of mass destruction.
The hard drives were discovered two weeks later in the team's office, lodged behind a copy machine. An FBI investigation turned up no evidence that the hard drives had been compromised.
Gilligan, who was Energy's CIO at the time, says the department learned from its brush with catastrophe. He says securing classified data on laptops begins with encryption. Gilligan recommends encrypting the entire hard drive-including the operating system. "For classified information you need very strong encryption of everything on a computer," he says. The reason is simple: Intruders with access to the operating system or other applications on the hard drive could reverse the encryption software.
Suggested Solutions
The National Security Agency's Information Systems Security Organization has endorsed the purchase of RASP Secure Media by the intelligence community. Made by Kasten Chase Applied Research Inc., a Sterling, Va., IT firm, the three-part product provides user authentication, remote access link encryption and PC data security.
Furthermore, NSA has released guidance to government agencies on how to safeguard information on laptops, though this data is not public. Still, NSA can do nothing more than advise agencies on how to protect data.
Gilligan says agency personnel have legitimate reasons for using classified information while on the go, but he worries that too much of it is being stored on laptops. As storage capacities have grown, so has the amount of classified information residing on these mobile units. David Carpenter, assistant secretary of the State Department's Bureau of Diplomatic Security and director of the Office of Foreign Missions, echoed this view in a May 2000 internal memo. "Today's technology enables laptop computers to store vast amounts of information," he wrote. "Laptop computers are a high-risk target for theft and require us to take special safeguards to protect them." Carpenter's focus is on employee accountability. He makes sure State employees understand that the security procedures in the paper world apply to the electronic one as well. "Every individual is responsible to ensure that classified information is not processed on unclassified laptops," he wrote.
The memo included a reminder to State employees that "classified laptop computers, or their removable hard drives, must be protected in the same manner as other classified items." This means classified laptops are "only authorized for use in controlled-access areas where classified operations occur." Carpenter cautioned other laptop users that sensitive but unclassified laptops "also require physical protection, and laptop users should always consider where laptops are taken, used and stored."
State and Energy have used their respective blunders to address the issue of laptop security. Yet the FBI refuses to talk about how it handles classified information, so it is impossible to determine whether the data on its stolen laptops is protected.
NEXT STORY: Red Carpet